Cisco Cisco Web Security Appliance S170 사용자 가이드
12-26
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 12 Decryption Policies
Bypassing Decryption
Bypassing Decryption
Some HTTPS servers do not work as expected when traffic to them is decrypted by a proxy server, such
as the Web Proxy. For example, some websites and their associated web applications and applets, such
as high security banking sites, maintain a hard-coded list of trusted certificates instead of relying on the
operating system certificate store.
as the Web Proxy. For example, some websites and their associated web applications and applets, such
as high security banking sites, maintain a hard-coded list of trusted certificates instead of relying on the
operating system certificate store.
You can bypass decryption for HTTPS traffic to these servers to ensure all users can access these types
of sites.
of sites.
To bypass decryption for some websites:
Step 1
Create a custom URL category that contains the affected HTTPS servers by configuring the Advanced
properties.
properties.
Step 2
Create a Decryption Policy that uses the custom URL category created in
as part of its
membership, and set the action for the custom URL category to Pass Through.
Importing a Trusted Root Certificate
When the Web Proxy receives a connection request for an HTTPS server, it validates the trustworthiness
of the destination server by verifying the root certificate authority that signed the server certificate. If
the Web Proxy does not recognize the root certificate that signed the server certificate, then it does not
trust the server certificate. This happens when the HTTPS server uses a certificate authority that is not
listed in the set of trusted certificate authorities that ship with the Web Security appliance. This might
happen if your organization uses an internal certificate authority to sign certificates for servers on the
internal network.
of the destination server by verifying the root certificate authority that signed the server certificate. If
the Web Proxy does not recognize the root certificate that signed the server certificate, then it does not
trust the server certificate. This happens when the HTTPS server uses a certificate authority that is not
listed in the set of trusted certificate authorities that ship with the Web Security appliance. This might
happen if your organization uses an internal certificate authority to sign certificates for servers on the
internal network.
To prevent the Web Proxy from potentially blocking access to servers with unrecognized root certificate
authorities, you can upload to the appliance root certificates that your organization trusts. For example,
you might want to upload a root certificate used by the servers on your network.
authorities, you can upload to the appliance root certificates that your organization trusts. For example,
you might want to upload a root certificate used by the servers on your network.
You can upload multiple root certificate files to the appliance, and each file you upload can contain
multiple root certificates. However, each certificate you upload must be a root certificate.
multiple root certificates. However, each certificate you upload must be a root certificate.
To import a trusted root certificate:
Step 1
Navigate to the Security Services > HTTPS Proxy page.
Step 2
In the Custom Root Authority Certificates section, click Import.
Step 3
In the Import Custom Root Authority Certificate File, click Browse.
Step 4
Navigate to the location where the custom root authority certificate file is located and click Open.
Step 5
Click Submit.